Default HTTPS for popular sites add-on released for Internet Explorer

Cloud-based security services provider Zscaler has released an implementation for Internet Explorer of the HTTPS Everywhere browser security extension.

By
Lucian Constantin
| Dec 20, 2012

| IDG News Service

Share

TwitterFacebookLinkedInGoogle Plus

Cloud-based security services provider Zscaler has released an implementation for Internet Explorer of the HTTPS Everywhere browser security extension.

HTTPS Everywhere forces the browser to always connect over HTTPS (HTTP Secure) to popular websites that support the secure communication protocol but don't enable it by default. The extension also sets the "secure" flag for authentication cookies, preventing them from being transmitted over unencrypted connections.

Some HTTPS-enabled sites fail to set this flag for authentication cookies because they expect users to automatically be logged in even when they access the HTTP versions of the site. However, this allows attackers who compromised a network's gateway or who can sniff traffic on an unprotected wireless network, to steal the cookies from users and hijack their accounts.

HTTPS Everywhere was originally released as an extension for Mozilla Firefox in 2010 and is jointly developed by the Electronic Frontier Foundation (EFF), a digital rights watchdog organisation, and the Tor Project, the creators of the Tor anonymity software. A version for Google Chrome has also been released since then.

Version 0.0.0.1 of HTTPS Everywhere for Internet Explorer was released at the start of the week and was developed independently of the EFF or the Tor Project by Zscaler senior security researcher Julien Sobrier.

The IE implementation replicates the core functionality of the official Firefox and Chrome HTTPS Everywhere extensions and includes their default rule sets for popular websites. However, some additional features like the ability to create custom rules or the support for the HTTP Strict Transport Security (HSTS) security policy are still missing.

Related

"As the version number suggests, this is a very early release," Sobrier said. "I have been using the extension for several weeks without any problems, but it should be considered an alpha release."

The missing features will be added in future versions, the researcher said. For now, the primary goal is to share the source code for the IE version with the EFF and make it available through their website, he said.

In the meantime, people who want to use or try out HTTPS Everywhere for Internet Explorer can download it from a dedicated page on Zscaler's website.

However, this reporter had trouble accessing Wikipedia.org with the add-on enabled in the latest version of Internet Explorer 9 running on a 64-bit installation of Windows 7 Ultimate, so it seems that there are still some bugs to fix.

While this extension sounds like a good tool to have, it remains to be seen how many IE users will actually be interested in using it.

"IE users tend to be more passive and accepting of the default app, rather than adding DIY extensions - especially those with a security function," said David Harley, a senior research fellow at antivirus vendor ESET.

"I'm not convinced that it will be widely adopted unless Microsoft actually promotes it or, more likely, includes something similar in a future release," Harley said. "It might appeal to security hobbyists, but that's the group that's least likely to use IE."

Harley believes that adoption in corporate environments, where IE has a very strong user base, is also unlikely, at least with the extension's current limitations and at this early stage of development.